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agenda 

1415: Introductions 

1420: The 20 minute tour of Ruby 

1440: Blackbag 

1445: Webby Blackbag 

1500: Protocol Blackbag 

1515: Break 

1530: Fuzzing and Redis 

1550: Ragweed: Part 1 

1610: Ragweed: Part 2 

1630: Coffee Service 

1700: Making Burp better with Buby 

1715: JRuby 

1725: FFI 
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Ruby in 20 Minutes 
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Gems and packages 
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Lab: The basics 
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Ruby Blackbag (rbkb) 
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Do less typing 

c °mmand j 

llns tool, 

V «iiX3- nS 

Object 
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Lab: rbkb 
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rbkb 




Scripted Webby Stuff 
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What do we need to script a webapp? 


Transport 



Encoding 


/ Decoding 
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Lab: Simple SQLi scanner 
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Protocol Reversing 
w/ Blackbag 
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General protocol approach 

Establish the flow 

Observe it 

Understand rt 

Manipulate it 
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demo: when all you have is pcap... 
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demo: the blackbag flow 
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exercise: tcp protocol lab 


Get in the middle 



Manip ulate 

Exploit 
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exercise: build protocol structures 
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demo: eventmachine and UDP 


event loops 
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demo: TLS tricks 


TLS MITM & self 





Fuzzing 
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the what 


smart 
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the why 


memo r y 


corruption 


c *ypt 



o 





, * v *o* 

-i'sis 

control 
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demo: generator patterns 
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demo: the harder stuff 
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intro to redis 





lab: fuzzing with redis 


grato your 



<3 te 


& 



in 







*y 
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Ragweed: 

Instrumentation & Getting Started 
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Why a scriptable debugger? 


Hittracing 




Tfufc 


zing 



°-U 




*9 


runtime 


c 
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What do we script? 



A °tion s 
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How? 
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The target 



eroot@Caladan32:~$ objdump -tj .text monte 


monte: 


file format elf32-i386 


SYMBOL TABLE 


l 

d 

.text 

00000000 

l 

F 

.text 

0000O000 

l 

F 

.text 

00000000 

l 

F 

.text 

00000000 

g 

F 

.text 

00000005 

g 

F 

.text 

00000000 

g 

F 

.text 

0000005a 

g 

F 

.text 

00000015 

g 

F 

.text 

00000015 

g 

F 

.text 

00000000 

g 

F 

.text 

0000019d 
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.text 

doglobal dtorsaux 
frame dummy 
do global ctorsaux 

_libccsu fini 

start 

libc csu init 
out circle 
in circle 

.hidden _i686.get pcthunk.bx 

main 







Demo: arguments and registers 



ruby for pentesters 




Exercise: function arguments 









Walkthrough: function arguments 
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Ragweed: 

Hit Tracing and in Memory Fuzzing 
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What do we mean by that? 
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Automate this! 


accounting 





Exercise: Break stuff! 

in memory fuzzing 

hit tracing 
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Ragweed: the intermission 
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Recap 

in memory fuzzing 





Burp + Jruby 
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buby is your friend 
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Lab: CookieMonster 
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Lab: CookieMunger 
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Jruby tricks 
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demo: extending our buby example 


load 3 ar 


import 


obj 





pretty <3 
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FFI: interfacing with C 
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No gem, no problem 
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SECURITY 





This is your C struct 


struct 

timezone 

{ 


int 

tz_minuteswest; 

}; 

int 

tzdsttimc; 

struct 

tiincval 

{ 


tiroe_jt 

tv_scc; 

!>; _ 

suscconds_t tv_uscc; 
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This is your C struct on Ruby 


modulo Libc 

extend FFI : * Library 
ffi_lib ’libc 1 

class Timezone < FFI::Struct 
layout :tz minutewest, :int, 
:tz_dsttime, :int 

end 

class Timeval < FFI::Struct 
layout :tv sec, :timc_t, 

:tvusec , :suseconds _t 

end 

end 
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Calling C functions 


definition 


int 

printf(const char *rcstrict format, ...)? 


setup 


attach function 'printf', [:string, :varargs], :int 


call 


Libc • printf( "cputs %s %x %d”, :string, "demo" , tint, 0x33, tint, 42) 
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Exercise: execv 


definitio * 1 


int 

execv(const char *path, char *const argv[]); 


argv ■ FFI: : MemoryPointer, new(: pointer, args.size + 2) 

argv[0].put_pointer( 0 , FFI: : MemoryPoint er.fromstring(path.to_s)) 
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Walkthrough: execv spoiler 


iJC& 


tfV' 


e 


dcf cxccv(path, *args) 

FFl.errno ■ 0 
args.flatten1 

argv ■ FFI :: MemoryPointer .new(:pointer, args. 7 ) 

argv[ C ],put_pointer( , FFI : : MemoryPointer .^jMm^st 
args.each_with_index do |arg, i| 

argv[i + 1).put_pointer( ^ F|fl^^|dho^Pointer .from_string(arg. to_s)) 

end 

argv[args.size + i] 4 f>ut 



yruxuLu 

pointer ( , nil) 


string (path. to_s)) 


Libc.exec^paJfc, argv) 

raiw ^yufeCallError :execv, FFI .errno 

end V 
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SECURITY 






